Basic Setup of YubiHSM 2 and HGS
Install and Configuring YubiHSM 2
Install and configure the YubiHSM 2 and software using the instructions in the following sections in the YubiHSM 2 Windows Deployment Guide:
Once these instructions have been followed, the YubiHSM 2 should be configured with the example we are using, one domain with a wrap key (id 0x0002), an application authentication key (id 0x0003), and an audit key (id 0x0004). The configuration of the YubiHSM 2 can be inspected by using the YubiHSM-Shell in a command prompt as shown in the screenshot below.
Figure 2: Example of the YubiHSM 2 basic configuration
Basic Deployment of HGS
To test the encryption and signing certificate/key generation for HGS Key Protection Services, configure a basic HGS environment on a single server. For more information on how to install and configure a complete guarded fabric, see Microsoft’s documentation on guarded fabric deployment.
To use shielded VMs, begin by adding the HGS role and configuring the HGS domain. In the following, we are showing the PowerShell prompt as "PS C:\users\your-username\".
Step 1: Add HGS Role
To add the HGS role to a Windows Server, open a PowerShell console and enter the following command:
PS C:\users\your-username\ Install-WindowsFeature -Name HostGuardianServiceRole -IncludeManagementTools -Restart
For more information on this PowerShell command, see Microsoft’s documentation on how to Install HGS.
Step 2: Install Host Guardian Server on Bastion Host
To configure the Active Directory (AD) forest for HGS, configure the HGS service, and lock down the Windows Server to a bastion host, open a PowerShell console and enter the following command:
PS C:\users\your-username\ $adminPassword = ConvertTo-SecureString -AsPlainText '<password>' -Force PS C:\users\your-username\ Install-HgsServer -HgsDomainName 'bastion.local' -SafeModeAdministratorPassword $adminPassword -Restart
For more information on this PowerShell command, see Microsoft’s documentation on how to Install HGS.